Build Security into Your Development Process: Security Guards

Security guards are essential if you want to protect your business from cyber attacks and avoid being part of the next reputation-crushing headline about a major cybersecurity breach.

In today's world of complex, always-on applications, if you're not building security guards into your application, a cyber attack is no longer a question of if, but when.

And don’t make the mistake of thinking that this warning doesn’t apply to you if you work in QA. Building security guards into the application is not just the job of developers or security engineers. QA engineers also have an important role to play through security testing.

Below, I will explain why it's important to build security guards into your development and testing process—and to cultivate a security-centric culture across the organization.

It starts by adding a security engineer

The purpose and intention of a Security Engineer (DevOps with security) are similar to a Test Automation Engineer and DevOps Engineer to help teams move faster, and ship higher-quality applications. Adding a Security Engineer to the development process has the same goals—to create a mindset that everyone is responsible for security, and help developers ship more secure applications faster. It starts by working alongside development teams at every step of the way to help them incorporate security principles and practices into the development process.

Building better security awareness

The security culture shift doesn't happen overnight. Developing cybersecurity culture begins with better security awareness by educating development teams. Yes—like QA, everyone is responsible for security. But a shift in culture is required for development teams to start accepting that responsibility. It's important to have a well-defined strategy that measures team success on security initiatives.

Potential security guards

Getting your development team up-to-speed starts by reviewing the security assessment which identifies the methods used to collect security risks that could impact the business’ reputation and customers. You have heard me preach this before: getting faster feedback to development teams requires us to shift to the left. No matter what, you have to integrate security guards into your continuous integration (CI) or continuous delivery (CD) pipeline. The earliest approach (move to the left) to detect security exploits, vulnerabilities, vulnerable patterns, and coding gaps is in the development stage.

I will not claim to be a security expert (I’m just a humble QA guy), but because security is everyone’s job, I am continuing to expand my knowledge about how to integrate security guards into the development process from the weekly conversations with our dedicated security team. Here is a list of potential security guards that should be integrated into your deployment pipeline.

Security Toolsets and Automation

Security as Code

Vulnerability Management

Vulnerability Scanning — Code and Artifacts / Package Repositories

Application Security

Container Security

Logging

Even my test automation code is being scanned, evaluated, and graded for security vulnerabilities and exploits. No one should be off the hook. In today's world, security guards are critical.

Conclusion

What kind of security culture do you have at your company?

Nowadays everyone should have some security guards, but do they integrate into your development process? If not, with the right process, roadmap, and attitude, you'll start shifting the culture. The first major security initiative begins with security awareness by educating the development team on the process, roadmap, and reviewing security testing results.

Remember, it will not happen overnight. The shift will start to happen naturally, and your application will start becoming more secure than before. Everyone is responsible for quality and security. If you are new to this testing space, I highly recommend investing time into security testing to expand your knowledge on the subject.

Greg Sypolt (@gregsypolt) is Test Automation Architect at Gannett | USA Today Network, Fixate IO Contributor, and co-founder of Quality Element. Responsible for test automation solutions, test coverage (from unit to end-to-end), and continuous integration across all Gannett | USA Today Network products.In the last three years, he has helped change the testing approach from manual to automated testing across several products at Gannett | USA Today Network. To determine improvements and testing gaps, he conducted a face-to-face interview survey process to understand all the product development and deployment processes, testing strategies, tooling, and interactive in-house training programs.